lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 12 May 2017 12:10:04 +0800
From:   Shawn <citypw@...il.com>
To:     tytso@...nk.org, linux-kernel@...r.kernel.org
Cc:     Pipacs <pageexec@...il.com>, Brad Spengler <spender@...ecurity.net>
Subject: PAX: size overflow detected in function ext4_llseek fs/ext4/file.c:670

Hi,

One of PaX/Grsecurity feature( PAX_SIZE_OVERFLOW) caught a bug in ext4
file system:

May 10 12:05:49 debian8-test kernel: [  130.765865] PAX: size overflow
detected in function ext4_llseek fs/ext4/file.c:670 cicus.162_143 max,
count: 13, decl: ext4_get_next_extent; num: 3; context: fndecl;
May 10 12:05:49 debian8-test kernel: [  130.767905] CPU: 0 PID: 1643
Comm: trinity-c4 Not tainted 4.10.14-grsec #1
May 10 12:05:49 debian8-test kernel: [  130.767919] Hardware name:
QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1
04/01/2014
May 10 12:05:49 debian8-test kernel: [  130.767920] Call Trace:
May 10 12:05:49 debian8-test kernel: [  130.767946]
[<ffffffff8148f716>] ? dump_stack+0x7b/0xc5
May 10 12:05:49 debian8-test kernel: [  130.767950]
[<ffffffff8129eaf9>] ? report_size_overflow+0x99/0xd0
May 10 12:05:49 debian8-test kernel: [  130.767957]
[<ffffffffa031f587>] ? ext4_exit_fs+0x3700/0x279e0 [ext4]
May 10 12:05:49 debian8-test kernel: [  130.767959]
[<ffffffff8129eb0b>] ? report_size_overflow+0xab/0xd0
May 10 12:05:49 debian8-test kernel: [  130.767962]
[<ffffffffa02aac55>] ? ext4_llseek+0x895/0xd90 [ext4]
May 10 12:05:49 debian8-test kernel: [  130.767966]
[<ffffffff810019c3>] ? syscall_trace_enter+0x203/0x330
May 10 12:05:49 debian8-test kernel: [  130.767970]
[<ffffffff811864ce>] ? __audit_syscall_entry+0xfe/0x160
May 10 12:05:49 debian8-test kernel: [  130.767971]
[<ffffffff8100195d>] ? syscall_trace_enter+0x19d/0x330
May 10 12:05:49 debian8-test kernel: [  130.767973]
[<ffffffff81290820>] ? rap_sys_lseek+0xf0/0x140
May 10 12:05:49 debian8-test kernel: [  130.767974]
[<ffffffff81001ec1>] ? do_syscall_64+0x91/0x180
May 10 12:05:49 debian8-test kernel: [  130.767976]
[<ffffffff81908573>] ? entry_SYSCALL64_slow_path+0x32/0x32

Kernel: linux-4.10.14
Testing on: Debian 8

Kernel log was attached! You can find the full Trinity fuzzer logs here:

https://github.com/hardenedlinux/community-QA/tree/master/bug_report/trinity-log-20170511

Some technical analysis from PaX team:
-------------------------------------------------------------------------------

thanks for the reports, keep them coming . this is an interesting one,
here's the code (same at both lines in ext4_seek_hole and ext4_seek_data):

670 »·······start = offset >> blkbits;

in types this is

u32 = long long >> int;

since the maximum value was exceeded it means that offset (long long,
64 bits even on 32 bit archs) had a value that didn't fit u32 when right
shifted. based on some light code reading, blkbits is between 10-16 on
ext4 (EXT4_MIN_BLOCK_SIZE-EXT4_MAX_BLOCK_SIZE) so depending on what the
actual block size of the underlying filesystem was, offset must have been
bigger than 2^42-2^48 (4TB-256TB).

now i don't know how the maximum file size scales with the block size
but apparently it was possible to create a file big enough that'd cause
the integer truncation error caught above. my opinion is that this is
a bug in ext4 and you should report it to Ted T'so and work with him on
the proper fix (he can also tell what the consequences of this truncation
are, if any). to actually confirm the integer truncation you should add
a printk above those lines and print out the values of offset and blkbits.
to reduce log spam you can make it conditional on offset >= 1LL << blkbits.

cheers,
 PaX Team
-------------------------------------------------------------------------------



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

View attachment "kern.log" of type "text/x-log" (355674 bytes)

Powered by blists - more mailing lists